Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 9 submissions in the queue.
posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Leebert on Thursday September 25 2014, @05:43AM

    by Leebert (3511) on Thursday September 25 2014, @05:43AM (#98104)

    SUNWbash package untouched... It surprised me until I rememberd that Solaris is now owned by Oracle.

    Oh well. At least /bin/sh is Korn shell, and someone has to be explicitly calling Bash.

    And anyway, we're paying for support. That makes us safe, right?

    I should probably go to bed now. I think I'm going to have a lot of management meetings in the morning, and I'm gonna need to dial that cynicism way down.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by fooetc on Friday September 26 2014, @06:08AM

    by fooetc (4756) on Friday September 26 2014, @06:08AM (#98500)
    I've put Solaris packages for bash 4.3.p026 on Solaris 8,9,10,11 for x86 and SPARC on the package archive. It also requires readline, gettext and libiconv.
    http://www.ibiblio.org/pub/packages/solaris/sparc/ [ibiblio.org]

    ta,
    Mark.